Malware Analysis Report

2024-10-19 02:13

Sample ID 240106-qw18wsaga4
Target 465e008ae44b8e00364cfa199b450eb3
SHA256 1823176ae53c5e51f5b421341682c0a812b931687e7685c3b4275b99586b519e
Tags
nullmixer privateloader smokeloader vidar 706 pub5 aspackv2 backdoor dropper loader stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1823176ae53c5e51f5b421341682c0a812b931687e7685c3b4275b99586b519e

Threat Level: Known bad

The file 465e008ae44b8e00364cfa199b450eb3 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader smokeloader vidar 706 pub5 aspackv2 backdoor dropper loader stealer trojan

NullMixer

PrivateLoader

Vidar

SmokeLoader

Vidar Stealer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 13:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 13:37

Reported

2024-01-06 13:40

Platform

win7-20231215-en

Max time kernel

151s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\dca6c247e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\dca6c247e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aiegiii N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aiegiii N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aiegiii N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aiegiii N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\e12de46c3c832.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3040 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 2728 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\e12de46c3c832.exe

Processes

C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe

"C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0d5026350381.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 190cee335.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3cf01e1373c46.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\190cee335.exe

190cee335.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\3cf01e1373c46.exe

3cf01e1373c46.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\f6ab0314134.exe

f6ab0314134.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\dca6c247e3.exe

dca6c247e3.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe

0d5026350381.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe

c9ebbe1d7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\e12de46c3c832.exe

e12de46c3c832.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c9ebbe1d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dca6c247e3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f6ab0314134.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e12de46c3c832.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 968

C:\Windows\system32\taskeng.exe

taskeng.exe {D6A39467-7F54-445E-BFD1-77DA92FC6FF2} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aiegiii

C:\Users\Admin\AppData\Roaming\aiegiii

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
N/A 127.0.0.1:49265 tcp
N/A 127.0.0.1:49267 tcp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e3e7d1f916fd97cf51bffa9635016bf9
SHA1 68eafcbcc474d57a8392f0a4f6dc203f961d7b9d
SHA256 1f8008ab724b246ffd90b7ca98c1384ff22927724c6a06997846bd250f455cfc
SHA512 92085459c6944eef9d1a2da89f430c244d523819bee34a8458a3cfc951bac25f36a3981b692a473f9a1897af81724e775045cf197a5cd5a9a574a50167cffc60

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5101122360681593812abd2f20fb8160
SHA1 bb302ef85d6edf890f8c45860be91d413f7b0aad
SHA256 0c5efc8c9fdd6681068bf93b2f1a6b7d73bbae93f6d668b2ad21585ad416fcaa
SHA512 1f64965e391e7f2d1f0ba420ce2bbe12fe404ada02af6a82c9b4dce85f3f98035a77eb5432da8df440785f0d61ac4ef3a6dd75d5044a75f87037828866f2b774

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 7a48409b2da243030934e71344ddc505
SHA1 26cb11ab5f3e168e3036ef98f9b8ec9448b943de
SHA256 d448f45e006dbc7cfde2298a0fd75c8380fc9744ce2556a05af44840333eb390
SHA512 08b272ac21654dc04808146319ecf0913dcdc0f54b988046191eae42d798b46abdf7b3f4d5b462325cf3a0db80556c529376ef52dd4007fb12e2ba78ee0133d1

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d772d6902200f5d4599a9b27d0d8f9e6
SHA1 564eefb3fabe655b2fb51f492959b158cb20e12d
SHA256 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA512 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1d783bfd211c7a0949186eee30bc7d14
SHA1 ef7b4a9b6cd8b43d323252ede03ad838f85a9fd2
SHA256 9975f3c8f4354405ecab6ee14dae004ca2a56b0c3c851fcd644d932e49893452
SHA512 67992da7412b4c2aabd3a724fd312feb34cf5a1a3cd68a1663342c51c7b2aa479ca7edc7bc057060ead5dc3e2d5563865f3f3b0e43b47379f8df6ae7f3096f36

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1948-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libstdc++-6.dll

MD5 c437504432dbdfda60cde6a504190d41
SHA1 b5908225be1ccfccd815d3bf92f329684666e936
SHA256 cfc017d2ad02e2c20baac0dcde221cf70a4a828d1c387e461e4932bd66b6826f
SHA512 13bc48b23f6f90283d5ae2c2a1abbdc702972e1d413f3a3369cc3add8c24861946638d2ee73a5938b0558da5c3fa06729a73d0e4b4be21468956499804dd62bd

memory/1948-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1948-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1984-119-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/1984-118-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1984-120-0x0000000000400000-0x0000000000903000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe

MD5 7854ac2b28de1041670fbf557c016c8b
SHA1 61f98e0fdc20af551e1359fa75c4e6f7d258af39
SHA256 cbd70a18dcca9b8b227d1aa5540a737497181c6359d4460c75f35361c631ed3d
SHA512 5f381b759c3655418cd28b19f98e5915c5ac7c80c8d70ae9281b93e77557c979b2b70ca15ad0e3e3637630cba5fe1df6b363228c8aa8193168453c6d2b99198a

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\0d5026350381.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe

MD5 769f56f1bb580d3fba21bf01f4e2ca60
SHA1 e7c9d16ae797f6bea97f6002ec2d24bf39c88a45
SHA256 bd324bddc1ebbda8917ef1fcd75e5ab0c225f49e49c1c31daa96db40009394dd
SHA512 c0f4d24948aef5aabd55570a32eb438fd44af98d405ff854fd40555c8d4f409a88dec10e642e1f7e6ebcd8066948827aed1455e23b30d9c808d93142bef5bbd8

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe

MD5 edefa4918a6c5c3ef6cc32118a723fc4
SHA1 81fc4a508ec35019cf65d6175f55dc69779344c3
SHA256 d133528c57df4121c1578e52df8b18c0165c6a4c891596f92c9f2579dda86bc8
SHA512 b6a2e734c401c3c9d6f587ecca3066b08f468cd8bb1e268197e846b460468f8b4024fe6b80f1e34414a92bc90ccde064cd283ae9ab0d596c9879dc41d35ff6a9

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\c9ebbe1d7.exe

MD5 9b00936466485c47e35bbf3b6d46fa4e
SHA1 60343742c801ec85a3373f0f47a877ee8a53fd82
SHA256 8fd086cc2660a96a5c97ec4a44377f003c24ab825e5a4cb29975ac135c8668fd
SHA512 3fa9a38787587a1955d76f72fe49288ce2152b2f7b785b2c547fdb68d70477abf6c040c7d12d58373146edc655b11c771a5b9e1c9d2294d4ff0646bb57658ffb

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\e12de46c3c832.exe

MD5 bf78562d81291113d7664f8b10b38019
SHA1 7c1e6b7a9abcf1f96eb79ffdc7ea1831ad7f7889
SHA256 aa18f5ee23ba9686522956203b349217aebdc2c921471db1a89d4bc16d699251
SHA512 c94ac906daf9ca91983c58d353984b1b84334d7fa57581b32fd029b0db582ca00ef67f5ef0a1fc0fd624aa30d220503e5f1b70617a303712b2f5886ab5672f36

memory/1948-51-0x0000000064940000-0x0000000064959000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

MD5 4e5f59ffd2158cb63e695c1f72ccbad6
SHA1 1f13df1e572b5ac987b7fbcce9deaa2594924faa
SHA256 4d2b4aab6e28ad88bcd60723f3cb054c06c05594af6c6bf9c5014eb9232f8a62
SHA512 8b0df3611b377868558af3805eed5451602f014161ecbffc83b9ad576ab3a3d329c28148c62b42b2099a062a25ea1ab69ec7723cc524a9fc87b0077d2f102017

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

MD5 ac4ed5970509c77d2a47a8d319aabdd5
SHA1 2f8e4e67e698df615b84badfc304a4ff05c3f74a
SHA256 8988db0ad8096f18fce73131462929c37183fff6f2a6f851313a9643cc3ffa93
SHA512 5b601baeabcd5d72a637643d5f08503b034856958c8bc301df54e51ce856a809e035d52e026e4252d4c97f7f6f14955c126e9514fc2e8b5dd49d99f9905d1ac1

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

MD5 bbcf3142a193be60f7eadf0e5f6bc06b
SHA1 6aea82c9a4761419defbeb854ec09021a8e87338
SHA256 e72a53838f7f1f3d271e1d1aa9c75e0fbd2462fd7e15c42455c90d5a173e46f4
SHA512 a52989124aacd147aaa267007403c21b24ee4264a1dc0614428bcbdc9f03402d4df251fcc1b22581dd819c474aa8f8dd01bae12cde0cd11faccf3a462da4bff6

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\setup_install.exe

MD5 b451e18d17f9d13a6a77224fa8b8d66f
SHA1 c62fea158c72c8ce16467f4b7d2225744dc7b330
SHA256 274c5222b3aebb56b2a3cea502fe17deccf3e72324ff1d07dd0b401a7b374842
SHA512 c4edeeb95fa08d8f5b3c506eb175648cf2a760d2bab207b3be64cd7ff288f1ac6421cc63376591fd3968eb071376b88e9da589eafbceeaade8cee2c9bc1dcd23

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1948-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS8AA4A2A6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2840-122-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2008-121-0x00000000010C0000-0x00000000010C8000-memory.dmp

memory/2008-126-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2016-128-0x0000000000FB0000-0x000000000104D000-memory.dmp

memory/2016-129-0x0000000000400000-0x0000000000958000-memory.dmp

memory/2840-131-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2016-130-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/2840-127-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2840-133-0x00000000001D0000-0x00000000001F2000-memory.dmp

memory/2008-134-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/2840-135-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/2840-136-0x000000001ACB0000-0x000000001AD30000-memory.dmp

memory/1948-180-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1948-179-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1984-182-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1984-184-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/1300-181-0x0000000003AB0000-0x0000000003AC6000-memory.dmp

memory/1948-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2016-221-0x0000000000400000-0x0000000000958000-memory.dmp

memory/1948-219-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1948-217-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1948-188-0x0000000000400000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Roaming\aiegiii

MD5 fdc802b8df399f6708ea8a6b97876bbf
SHA1 0681baa0c0dd95e131e17e7657fdbd852eadc2fd
SHA256 0260280cc56474e9b64234716127ccf2612af51c715611f870e515893b08848c
SHA512 f66345e30bf2042af86770c096dec5ae42a7e4519dececb564f1849c1de6b608088b365c88466f4462657acb6d70a8664add0cd1dc5a6c21c3bc4f926b53c7a8

memory/2008-254-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2840-255-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2016-293-0x0000000000A90000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a3a2e38b4f347abb718ebc94a91b209
SHA1 4f6233c969fb126c02ee2d7cc977ca0b1f42dd25
SHA256 3fa981e91bc3c08e53660aaace2fdb877a86a4674ae2aad4d1754ac3acf7b157
SHA512 132340759dee134d8e748517abad36d9ec3defe1ea4d2a0aea741f5772eddbb5b25ab5ec69c4e5e806f10572b4897f3e8a0cd3e9a44d5cbbcf92af0eeda8d4f7

memory/2008-337-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/2840-338-0x000000001ACB0000-0x000000001AD30000-memory.dmp

memory/2840-364-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/1548-422-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

memory/1548-423-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1548-428-0x0000000000400000-0x0000000000903000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 13:37

Reported

2024-01-06 13:40

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\e12de46c3c832.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\190cee335.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2212 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2212 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3624 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe
PID 3624 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe
PID 3624 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe
PID 1404 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe
PID 3144 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe
PID 3144 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe
PID 2932 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\e12de46c3c832.exe
PID 2932 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\e12de46c3c832.exe
PID 4184 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\c9ebbe1d7.exe
PID 4184 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\c9ebbe1d7.exe
PID 4184 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\c9ebbe1d7.exe
PID 4960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\190cee335.exe
PID 4960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\190cee335.exe
PID 3884 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\dca6c247e3.exe
PID 3884 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\dca6c247e3.exe
PID 3884 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\dca6c247e3.exe
PID 4016 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe
PID 4016 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe
PID 4016 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe
PID 1340 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\f6ab0314134.exe
PID 1340 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\f6ab0314134.exe
PID 1056 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe
PID 1056 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe
PID 1056 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe

Processes

C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe

"C:\Users\Admin\AppData\Local\Temp\465e008ae44b8e00364cfa199b450eb3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe

0d5026350381.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\190cee335.exe

190cee335.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\f6ab0314134.exe

f6ab0314134.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe

"C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\0d5026350381.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1404 -ip 1404

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\3cf01e1373c46.exe

3cf01e1373c46.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\dca6c247e3.exe

dca6c247e3.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\c9ebbe1d7.exe

c9ebbe1d7.exe

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\e12de46c3c832.exe

e12de46c3c832.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3cf01e1373c46.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c9ebbe1d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 190cee335.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dca6c247e3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f6ab0314134.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e12de46c3c832.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0d5026350381.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3408 -ip 3408

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
NL 37.0.8.235:80 tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:53865 tcp
N/A 127.0.0.1:53867 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 tcp
US 3.141.96.53:443 tcp
US 8.8.8.8:53 udp
US 3.141.96.53:443 tcp
US 20.231.121.79:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e57e91b91c9045f6a3a858c682578fd3
SHA1 4b15a2026bff8e9fc63cf26e13fffb3ca1dbad56
SHA256 3217f0d13cf2fd54f17f58803c0013d524fdf3e4994558b4c026c555d2756dee
SHA512 42e7cc960914c020a59a6686ee59a09596a82fae6dc5859d8e8a69c5577507e603a6df45e4de94ca157b5fb1672ddca57dd199648349a792bb7d179656de9e81

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe

MD5 bb0985703c0401f5cbd11d7c71db1bb2
SHA1 b7a6520daa7a4d374e4dd07496496ffd6d61ed49
SHA256 4beced139e817100a9e8849edc29aeda3b0ad1497b6dcef5fefd26f1d2abf9b6
SHA512 46646656ba60c43f2db137760832d59423c3eba05432b5901896e3a3742365f5543347ffc0a71915f6502006a9d2082d2e81690fd04bb2e4a43703bb02e7da7a

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1404-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1404-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2300-75-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2588-84-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2588-94-0x00007FFD81190000-0x00007FFD81C51000-memory.dmp

memory/2588-96-0x00000000009F0000-0x0000000000A12000-memory.dmp

memory/2588-98-0x0000000000A10000-0x0000000000A16000-memory.dmp

memory/2588-99-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

memory/4500-102-0x0000000000960000-0x00000000009FD000-memory.dmp

memory/4500-101-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/4500-103-0x0000000000400000-0x0000000000958000-memory.dmp

memory/3408-105-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3408-106-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1404-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1404-111-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1404-110-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1404-109-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1404-108-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1404-107-0x0000000000400000-0x000000000071D000-memory.dmp

memory/3408-104-0x0000000000B40000-0x0000000000C40000-memory.dmp

memory/2588-91-0x00000000009E0000-0x00000000009E6000-memory.dmp

memory/2300-89-0x0000000000B90000-0x0000000000BA0000-memory.dmp

memory/2300-85-0x00007FFD81190000-0x00007FFD81C51000-memory.dmp

memory/1404-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1404-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1404-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2588-114-0x00007FFD81190000-0x00007FFD81C51000-memory.dmp

memory/1404-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1404-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1404-48-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1404-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1404-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1404-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1404-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1404-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe

MD5 d41f03922dd969a30b829bce1edae4bf
SHA1 5daf58ea7c8f61c2d3f93b87912e396e7174c2f0
SHA256 bc67d9177900aadb9683586e10a4e87495796e37cb9e5d0a5cdc6e425e689fc5
SHA512 672893c5625577c74adeead3884d034f990bec597b7cd6be4a9073866ab21d705f79f6241e4b769ef2d0d29ece01b591d7212372a472872359d94be620b80e14

C:\Users\Admin\AppData\Local\Temp\7zS82EFD477\setup_install.exe

MD5 ea365547f9b316bfebaebcc1ae271824
SHA1 9758a9a2d7a11a1aba093c474df0b5a2939df88e
SHA256 b88a310f36bf3a3d3a12ef86cd1d20e43135baa14825fc43938f1d53765500e2
SHA512 dea5741bc49ad9453f1cb3382ca7d178fe5ba10bd0ba1d4d73856e0c5e918daed890ebb0400d0f6f2273252ec851367411842fdc1bfb7a1c87bd4bf11310df64

memory/3388-118-0x0000000002B40000-0x0000000002B56000-memory.dmp

memory/2300-124-0x0000000000B90000-0x0000000000BA0000-memory.dmp